ModSecurity (original) (raw)

There are reports on memory leak on nginx -s reload, #2381 #2502 #2552 #2636 and many others .
~~Of course, #2580 doesn't solve problems.~~ (Update: #2580 should have fixed this problem.)

There is a simple poc:

#include <stdio.h> #include <unistd.h> #include "modsecurity/rules_set.h"

int main(int argc, char **argv) { int i; char *file; const char *error; #ifdef APPLE printf("top -pid %d\n", getpid()); #else printf("top -p %d\n", getpid()); #endif file = argc > 1 ? argv[1] : "memory-leak.conf"; printf("rules file: %s\n", file); for (i = 0; i < 100; ++i) { RulesSet *rules_set = msc_create_rules_set(); if (msc_rules_add_file(rules_set, file, &error) < 0) { fprintf(stderr, "error: %s\n", error); break; } msc_rules_cleanup(rules_set); } printf("100 iter completed\n"); sleep(100); return 0; }

After run 100 times on CRS rules, the memory grow to 1.2G, about 12M for rules.

Include modsecurity-v3.0.6/modsecurity.conf-recommended
Include coreruleset-3.3.2/crs-setup.conf.example
Include coreruleset-3.3.2/rules/*.conf

Of course, for nginx -s reload, it may be solved by moving msc_rules_add_file to working process, then it doesn't affect master process, and sovle the problem.

However, IMO, it should be fixed in ModSecurity, as we have shared_ptr in c++11.